I have tried to prevent XSS attacks in my application by sanitizing the requests containing special characters and following OWASP guidelines. But as per the Business requirements, they require all the special characters to be used that I sanitized. We have multiple 3rd party integrations and most of them also require those special characters to be sent from our system.
In order to prevent attack only in our system, is it a good approach to sanitize the response that we send to web applications instead of doing it for requests? So that all the 3rd party system's internal users will be able to use the special characters.
If not the above approach, can you please suggest some other approaches?
Input from you all will really be very helpful!
It's best to sanitize incoming data to avoid persistence XSS, that may be saved in a database or output to a log file that's view in a browser. You really don't want raw data coming from the internet save in your internal, private network. Of course even though defense in depth is in place and outgoing connection is blocked, I wouldn't risk it and infosec wouldn't approve it.